The proposed settlement, which was announced Tuesday, must gain final approval by a federal judge in the U.S. District Court for the Northern District of California. D-Link is one of the largest developers of routers, IP cameras and other internet-connected devices.

The terms of the settlement may serve as a warning to the IoT makers. Experts say the industry has been plagued by years of insecure software development that has led to widespread botnets, hacking and cybercrime.

The proposed settlement

"Manufacturers and sellers of connected devices should be aware that the FTC will hold them to account for failures that expose user data to risk of compromise," says Andrew Smith, director of the FTC's Bureau of Consumer Protection.

The proposed settlement, which does not impose a fine on D-Link, requires the company to develop a comprehensive software security program and obtain third-party assessments of that program by an organization pre-approved by the FTC. Also, that third-party assessor should not base any of its findings on representations made by D-Link's management.

Those business conduct changes are "noticeably more aggressive" than what the FTC usually demands, says Mark Paulding, a partner with Washington-based InfoLawGroup. "These aggressive demands may also reflect, in part, the acrimonious nature of the lawsuit," Paulding says.

The Cause of Action Institute, a Washington-based group that challenges government regulation, defended D-Link in the complaint. In a statement, D-Link says it is "pleased to reach an amicable resolution with the FTC."

"Notably, this order does not find D-Link Systems liable for any alleged violations," D-Link says. "We chose to defend against this litigation based on our strong belief in the quality and security of our products and practices."

'Easily Preventable' Flaws

The FTC alleged that D-Link "failed to take reasonable software testing and remediation measures to protect their routers and IP cameras against well-known and easily preventable software security flaws, such as 'hard-coded' user credentials and other backdoors, and command injection flaws."

The complaint also focused on D-Link's marketing practices that the agency alleged violate the FTC Act, which addresses deceptive acts and unfair competition. The agency alleged that D-Link marketed its products as secure when many of its devices contained software vulnerabilities that put consumers at risk.

The Cause of Action Institute noted in its statement that the settlement does not include a "finding of deceptive marketing statements or practices by D-Link Systems."

D-Link left default usernames and passwords on devices and stored login credentials insecurely, the FTC alleged. Also, the FTC contended D-Link left a private code-signing key on a public website for more than six months. That poses a risk that someone could sign malicious software with D-Link's key and the malware would appear legitimate.

U.S. District Judge James Donato dismissed one of the counts by noting the FTC didn't demonstrate that any consumer's personal or financial data had been compromised as a result of security failings in D-Link's devices. Another two counts were dismissed for not meeting civil procedure rules.

Security Improvements

The proposed settlement outlines a series of steps that D-Link must follow to avoid further action. Those steps include maintaining a "comprehensive software security program" for 20 years. D-Link must designate qualified employees to oversee that program.

It also must adjust how it develops its products from a security perspective. That includes threat modelling, using automatic static analysis tools for pre-release code reviews and conduct vulnerability testing before a product is released.

"Manufacturers and sellers of connected devices should be aware that the FTC will hold them to account for failures that expose user data to risk of compromise."—Andrew Smith, FTC Bureau of Consumer Protection

D-Link must maintain "a database of shared code to be used to help find other instances of a vulnerability when a vulnerability is reported," the FTC ruled.

Also, D-Link must have a designated point of contact for security researchers to report issues. Bug hunters often complain of difficulty in contacting companies and that their vulnerability reports elicit no response.

Another widespread problem with IoT devices is that manufacturers eventually stop issuing security updates. Consumers are often unaware when their router, for example, is considered to be at the end of its life.

The FTC will require D-Link to provide "clear and conspicuous notice" to consumers who have registered a device that it will no longer receive firmware updates. If the proposed settlement is approved, D-Link must contact consumers who have registered their products and provide instructions for how to update their devices with the latest firmware.

About the Author

Kirk is a veteran journalist who has reported from more than a dozen countries. Based in Sydney, he is Managing Editor for Security and Technology for Information Security Media Group. Prior to ISMG, he worked from London and Sydney covering computer security and privacy for International Data Group. Further back, he covered military affairs from Seoul, South Korea, and general assignment news for his hometown paper in Illinois.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.eu, you agree to our use of cookies.